Systems and methods for taint analysis using pattern recognition
Abstract
Systems, methods, and non-transitory computer readable media including instructions for implementing a runtime virtual barrier for fine grained execution control are disclose. Implementing the runtime virtual barrier for fine grained execution control includes receiving, by an application capable of JavaScript execution, an executable code including an API invocation; intercepting, by a virtual barrier, the API invocation; determining that the API invocation is an invocation for a native API configured for subsequent execution in response to a trigger event; based on the determination that the API invocation is an invocation for a native API configured for subsequent execution, recording an invocation source identifier; and upon occurrence of the trigger event: retrieving the invocation source identifier; and influencing execution of the native API based on the invocation source identifier.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A non-transitory computer readable medium containing instructions that when executed by at least one processor cause the at least one processor to perform operations, comprising:
obtaining at least one runtime parameter associated with an execution environment; determining if input data associated with the at least one runtime parameter includes at least one character associated with a risk indicator; splitting the at least one runtime parameter into at least two parts based on the at least one character; obtaining a first string representation of an origin of an API invocation; comparing the at least two parts with the first string representation; identifying at least one first portion of the first string representation that matches at least one second portion of the at least two parts by comparing the at least two parts with the first string representation; upon the identifying, parsing the first string representation into a first Document Object Model (DOM) tree; replacing the identified portion of the first string representation with a benign set of characters to form a second string representation; parsing the second string representation into a second DOM tree; determining an existence of a difference between the first DOM tree and the second DOM tree; and in response to the determined existence of a difference between the first DOM tree and the second DOM tree, generating a notification for display in a user interface indicating a potential untrusted code injection.
2 . The non-transitory computer readable medium of claim 1 , wherein the at least one runtime parameter includes at least one of: a Uniform Resource Locator (URL), a URL parameter, an Application Programming Interface (API) invocation, a referral link, a local storage value, a network storage value, a cookie, or a hash value.
3 . The non-transitory computer readable medium of claim 1 , wherein the at least one character includes at least one of: a tag opening, a tag closing, or a double comma.
4 . The non-transitory computer readable medium of claim 1 , wherein the instructions are further executable by the at least one processor to cause the at least one processor to perform additional operations, comprising:
determining that the at least one runtime parameter is encoded; decoding the at least one encoded runtime parameter; and replacing the at least one encoded runtime parameter with the decoded at least one runtime parameter.
5 . The non-transitory computer readable medium of claim 1 , wherein the instructions are further executable by the at least one processor to cause the at least one processor to store the at least two parts of the at least one runtime parameter in a matrix having multiple cells, wherein comparing the at least two parts with the first string representation includes comparing the at least a portion of the first string representation with content of each cell in the matrix.
6 . The non-transitory computer readable medium of claim 1 , wherein the at least one runtime parameter includes a Hypertext Markup Language (HTML) string.
7 . The non-transitory computer readable medium of claim 1 , wherein determining if the input data associated with the at least one runtime parameter includes at least one character associated with the risk indicator includes performing at least one of:
accessing a set of predefined characters and determining that the at least one character is included in the set of predefined characters; determining if an input value associated with the at least one runtime parameter is encoded; or determining if input data associated with the at least one runtime parameter has a length exceeding a length threshold.
8 . The non-transitory computer readable medium of claim 1 , wherein the instructions are further executable by the at least one processor to determine that the at least one runtime parameter is associated with cross-site scripting, wherein the at least one runtime parameter is obtained based on the determination that the at least one runtime parameter is associated with cross-site scripting.
9 . The non-transitory computer readable medium of claim 8 , wherein determining that the at least one runtime parameter is associated with cross-site scripting includes determining that the at least one runtime parameter is associated with a reflected cross-site scripting attack.
10 . The non-transitory computer readable medium of claim 8 , wherein determining that the at least one runtime parameter is associated with cross-site scripting includes determining that the at least one runtime parameter is associated with a Document Object Module (DOM)-based cross-site scripting attack.
11 . The non-transitory computer readable medium of claim 1 , wherein instructions are further executable by the at least one processor to suspend, in response to the determined existence of a difference between the first DOM tree and the second DOM tree, an execution associated with the at least one runtime parameter.
12 . A method for sanitizing data within a native environment, the method comprising:
obtaining at least one runtime parameter associated with an execution environment; determining if input data associated with the at least one runtime parameter includes at least one character associated with a risk indicator; splitting the at least one runtime parameter into at least two parts based on the at least one character; obtaining a first string representation of an origin of an API invocation; comparing the at least two parts with the first string representation; identifying at least one first portion of the first string representation that matches at least one second portion of the at least two parts by comparing the at least two parts with the first string representation; upon the identifying, parsing the first string representation into a first Document Object Model (DOM) tree; replacing the identified portion of the first string representation with a benign set of characters to form a second string representation; parsing the second string representation into a second DOM tree; determining an existence of a difference between the first DOM tree and the second DOM tree; and in response to the determined existence of a difference between the first DOM tree and the second DOM tree, generating a notification for display in a user interface indicating a potential untrusted code injection.
13 . The method of claim 12 , wherein the at least one runtime parameter includes at least one of: a Uniform Resource Locator (URL), a URL parameter, an Application Programming Interface (API) invocation, a referral link, a local storage value, a network storage value, a cookie, or a hash value.
14 . The method of claim 12 , wherein the at least one character includes at least one of: a tag opening, a tag closing, or a double comma.
15 . The method of claim 12 , further comprising:
determining that the at least one runtime parameter is encoded; decoding the at least one encoded runtime parameter; and replacing the at least one encoded runtime parameter with the decoded at least one runtime parameter.
16 . The method of claim 12 , further comprising storing the at least two parts of the at least one runtime parameter in a matrix having multiple cells, wherein comparing the at least two parts with the first string representation includes comparing the at least a portion of the first string representation with content of each cell in the matrix.
17 . The method of claim 12 , wherein determining if the input data associated with the at least one runtime parameter includes at least one character associated with the risk indicator includes performing at least one of:
accessing a set of predefined characters and accessing a set of predefined characters and determining that the at least one character is included in the set of predefined characters; determining if an input value associated with the at least one runtime parameter is encoded; or determining if input data associated with the at least one runtime parameter has a length exceeding a threshold.
18 . The method of claim 12 , further comprising determining that the at least one runtime parameter is associated with cross-site scripting, wherein the at least one runtime parameter is obtained based on the determination that the at least one runtime parameter is associated with cross-site scripting.
19 . The method of claim 18 , further comprising suspending, in response to the determined existence of a difference between the first DOM tree and the second DOM tree, an execution associated with the at least one runtime parameter.
20 . A system for sanitizing data within a native environment, the system comprising at least one processor configured to:
obtain at least one runtime parameter associated with an execution environment; determining if input data associated with the at least one runtime parameter includes at least one character associated with a risk indicator; split the at least one runtime parameter into at least two parts based on the at least one character; obtain a first string representation of an origin of an API invocation; compare the at least two parts with the first string representation; identify at least one first portion of the first string representation that matches at least one second portion of the at least two parts by comparing the at least two parts with the string representation; upon the identifying, parse the first string representation into a first Document Object Model (DOM) tree; replace the identified portion of the first string representation with a benign set of characters to form a second string representation; parse the second string representation into a second DOM tree; determine an existence of a difference between the first DOM tree and the second DOM tree; and in response to the determined existence of a difference between the first DOM tree and the second DOM tree, generate a notification for display in a user interface indicating a potential untrusted code injection.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.